David Bradbury, chief security officer for Okta, in a brief post on the company’s blog:
In January 2022, Okta detected an unsuccessful attempt to
compromise the account of a customer support engineer working for
a third-party provider. As part of our regular procedures, we
alerted the provider to the situation, while simultaneously
terminating the user’s active Okta sessions and suspending the
individual’s account. Following those actions, we shared pertinent
information (including suspicious IP addresses) to supplement
their investigation, which was supported by a third-party
Following the completion of the service provider’s investigation,
we received a report from the forensics firm this week. The report
highlighted that there was a five-day window of time between
January 16-21, 2022, where an attacker had access to a support
engineer’s laptop. This is consistent with the screenshots that we
became aware of yesterday.
The screenshots they “became aware of yesterday” were shared on social media and, because Okta provides secure authentication to many companies, the breach has been widely-publicized. What Bradbury claims matches the evidence to date — that the attackers gained the privileges of a support engineer and no more. That’s something, but it doesn’t seem to be catastrophic. It would be a lot more reassuring, though, if the January incident had been disclosed before these screenshots were leaked to the public.
(This same hacking group, “Lapsus$”, claims to have stolen the source code for Cortana, Bing, and other projects from Microsoft.)
Update: New post from Bradbury:
After a thorough analysis of these claims, we have concluded that
a small percentage of customers — approximately 2.5% — have
potentially been impacted and whose data may have been viewed or
acted upon. We have identified those customers and are contacting
them directly. If you are an Okta customer and were impacted, we
have already reached out directly by email. We are sharing this
interim update, consistent with our values of customer success,
integrity, and transparency.
Yowza. Seems pretty likely to me this is how “Lapsus$” stole source code from Microsoft.
★ Tuesday, 22 March 2022